Electric protection system for nuclear reactors



Dec. 14, 1965 TROEGER 3,223,590

ELECTRIC PROTECTION SYSTEM FOR NUCLEAR REACTORS Filed May 28, 1963 TEMP. GAGES AAI United States Fatent O 3,223,590 ELECTRIC PROTECTION SYSTEM FOR NUCLEAR REACTORS Herbert Troeger, Baiersdorf, Germany, assignor to Siemens-Schuckertwerke Aktiengesellschaft, Berlin- Siemensstadt, Germany Filed May 28, 1963, Ser. No. 283,895 Claims priority, application Germany, June 1, 1962, S 79,726 2 Claims. (Cl. 17624) My invention relates to protective electric systems for nuclear reactors.

Nuclear reactors must exhibit absolute operational reliability and must provide for rapid shutdown in the event of failure to prevent reactor accidents from assuming catastrophic proportions. It has been customary practice, therefore, to equip each reactor plant with a number of monitoring devices which allow for fully satisfactory control and supervision of the reactor operational conditions. Devices of this type automatically actuate the reactor warning equipment or safety shutoff means upon sensing a condition exceeding a predetermined maximum magnitude.

As a rule, reactor safety devices posses a plurality, for instance three probes or sensors for each condition to be monitored, thereby assuring redundant safety control against possible failures occurring in any one of these devices. Each of these sensors, or probe devices possesses a switch contact which it energizes. Conventionally, the contacts are interconnected so that the safety apparatus of the reactor will respond only when two out of three sensor devices monitoring one particular condition actuate their contacts. Thus the likelihood of an undesired shutoff, due to a defect in the sensor device, is substantially reduced.

The individual contacts of the three sensors monitoring a condition are each connected in series with the corresponding individual contacts of the three sensors monitoring other conditions to form three series shutoff lines each having a contact from each condition. The shutoff lines each actuate relay means which engage a shutoff control when a contact in two out of three lines is open.

However, the conventional system will shut off even if the open contacts in each of two lines do not belong to sensors monitoring the same condition. Thus, opening of a contact in each of two lines is not necessarily indicative of faulty reactor operation, but may merely be due to defects in two different probes. Consequently, a reactor shutoff resulting therefrom would be superfluous and in certain cases would involve unnecessary expenditure and waiting time before the reactor may again be turned on.

, An object of my invention is to provide a safety circuit which obviates these shortcomings.

A more particular object of my invention is to provide a shutoff system which will reliably avoid shutdown due to improper operation of its components and which operates on a two-out-of-three basis.

According to a feature of my invention I again provide three sensors for each condition to be monitored and three parallel shutoff lines each terminating in a relay coil for actuating a two-out-of-three shutoff control between a source and the reactor. However, for each condition to be monitored and at series-connected locations, I divide each shutoff line into two parallel branches, the number of thus produced series-connected branch pairs on each line being equal to the number of conditions to be monitored and corresponding to one of the sensors, and I provide each sensor with three contacts in the corresponding branch pair by distributing them among the two branches in a different manner for each branch pair corresponding to the same condition.

According to another feature of my invention, I check the operation of the sensors by connecting in each branch warning signal means.

Other objects and advantages of the invention will be explained or become obvious from the following detailed description when read in light of the accompanying drawing wherein:

FIG. 1 is a schematic diagram of a conventional safety circuit; and

FIG. 2 is a schematic diagram of a safety circuit embodying features of the invention.

In FIGS. 1 and 2 the different conditions to be monitored are denoted by the subscripts *1, 2, 3, up to n, and are each measured by three measuring probes A, B and C having corresponding connecting contacts denoted by respective reference characters a, b and 0. Thus the sensors A B C and A B C A B C possess respective connecting contacts a b and c and a b 0 a 13 and a In FIG. 1, all of the contacts a. are connected in series between a positive lead L and a negative lead L to form a turnoff line I. Similarly, contacts 11 are connected in series and contacts c are connected in series to form turn-off lines If and III respectively. Also connected in series in the lines I, II and III are respective coils of relays S S and S These relays S S and S are normally energized during reactor operation so that they operate in accordance with a fail-safe principle and their respective contacts are closed. Their respective contacts are designated .9 s s and connected in series with the coils of power relays G, H, K, respectively, between the lines L L Relays G, H, K each possess two contacts designated g and g h and h k and k connected as shown in series with the reactor control SCR between lines L and L so as to operate on a two out of three basis.

If any one of the sensors or probes A, B, C responds, indicating that the limit magnitude that has been set therefor is exceeded, the corresponding relay 8;, S or S in the turnoff line is deenergized so that the operating contacts thereof will open and deenergize one of the power relays G, H, or K. If the same condition also occurs in a second turnoff line, another power relay G, H or K is deenergized by means of power contactors s s or s Now, two relays, for example G and H are deenergized. This in turn opens the corresponding contacts g and h, opening both lines between the lead L and control SCR so that the reactor turnoff rods: will be deenergized. No matter which two relays G, H, K are deenergized, they will be suflicient to open the line between lead L and control SCR, so that any combination of open contacts in at least two shut-off lines I, II or III will deenergize the turnoff rods.

In the event of actual failure or breakdown in the reactor operation, at least two contacts in different circuit lines monitoring the same signal would respond and release the rods.

However, this release of rods is not absolutely indicative of faulty react-or operating conditions. Such release can occur if two individual faulty probes or contacts not monitoring the same condition, for example the probes A and C were faulty and opened their contacts simultaneously. This could happen despite the reactors operating normally and result in an unnecessary shutdown.

The circuit according to the present invention, an embodiment of which is illustrated in FIG. 2, releases rods only in response to actuation of two monitoring probes simultaneously by the same monitored condition, so that monitoring probe failures or defects cannot result in reactor turnoff. In FIG. 2 a positive lead L and a negative lead L energize a reactor control SCR by means of a shutoff circuit T to be further described, and energize as well a safety circuit comprised of shutoff lines I, II, III. Again here in FIG. 2 for purposes of safety, the various conditions to be monitored are each measured by three separate devices. For example, the temperature at location 1 is measured by temperature gauges AA BB and CC Similarly, three neutron flux gauges AA BB and CC, measure the same neutron flux. These monitoring devices are generally designated AA BB and CC where x=l, 2 n, representing the conditions to be monitored. This corresponds substantially to the condi- .tions in FIG. 1. However, according to the present invention as embodied in FIG. 2, each monitoring device or probe AA BB and CC when subjected to a condition beyond a predetermined safe range, opens not only one contact as in FIG. 1 but rather three contacts. Thus, each monitored condition corresponds to nine contacts. Each probe AA BB and CC has one contact in each shutoff line I, II and III. The contacts corresponding to each probe are designated by the lower case letter corresponding to the probe reference letter and the corresponding subscript numeral. A second subscript numeral on the contact designation indicates the shutoff line in which the particular contact appears. Thus, the probes AA BB and CC possess respective contacts aa bb cc where y=I, II and III, the numbers of the turnoff lines. More specifically then, the temperature gauge AA; possesses a contact aa in the line I, aa in the line II and aa in the line III. This is obvious from the FIG. 2.

For each condition to be monitored, the shutoff lines I, II, III are divided into two parallel branches or branch pairs P (where x=1, 2 n, the condition to be monitored, and y=I, II, III, the shutoff lines). Thus each shutofi line will possess n branch pairs. For each monitored condition, the contacts aa bb and cc, are distributed within the branch pairs and connected within the branch pairs to form a different circuital pattern. Thus, for the condition 1 to be monitored by temperature gauges AA BB and CC the contacts aa bb and ce are distributed differently within the branch pair P than are the contacts aa bb cc within the branch pair P which are in turn differently arranged than the contacts Hun, bbun, C0111]: Within the branch Pail P1111.

The branch pairs P in each line are connected in series with each other and in series with respective relays SS SS and 85 The latter energize the switches or armatures SS and ss ss and ss and ss m and ss in the circuit T controlling the reactor control SCR. The parallel branches assure that as long as only one of the probes AA BB CC are energized, there will remain a path of current flow from the positive lead L to the negative lead L thereby maintaining current through the power relays SS SS and 88 thereby maintaining closed all the switches ss ss and ss so as to energize the reactor control. However, if any two probes at the same monitored locatiton, for example the probes AA and BB release their contacts, two branches of at least two branch pairs, for example P P in two different lines I and II, will interrupt the flow of current from the lead L to at least two of the relays SS SS SS for example the relays SS; and SS and shut off the reactor.

If, for example, one probe at one monitored location and one probe at another monitored location are both opened accidentally, (and not indicating reactor breakdown), for example if the probes AA and BB release their respective contacts, the relays SS SS and 85 would still remain energized, thereby holding in their respective switches and maintaining the energy under reactor control. Such an accident in FIG. 1 would result in deenergizing the reactor control and subsequent release of the control rods, despite the fact that the conditions indicated do not result from reactor breakdown.

The circuit of FIG. 2 permits frequent checking of whether the probes AA BB CC are ready to operate without disturbing the overall operation of the plant or disconnecting the turnoff line. This minimizes the risk of an undesired shut-off combination with a sudden and unexpected faulty release. For this purpose, there is provided in one branch line of each pair a relay xRy and in the other branch line of the pair of relay xRy. These relays are preferably provided with oppositely directed windings to reduce their inductance to a value equalling almost zero so as not to constitute a load for the contacts and thereby avoid a source of trouble. In FIG. 2 the relays operate on a single-pole basis.

The two windings xRy and xR'y are the two mutually opposed windings of a single differential relay. They act upon a test contact r which, when closed, lights an indicator lamp L. When the contacts aa bb and co are all closed, the two relay portions 1R and IR' are both energized so that their inductive effects cancel each other and the relay contact r remains open. However, when any one of the three contacts aa b11 cs opens, one of of the relay portions is deenergized, and the contact r closes.

It will be obvious to those skilled in the art that the device according to the invention is not restricted to the reactor engineering art but may be useful in other applications, for example the chemical industries requiring similar safety provisions. It will also be obvious to those skilled in the art that although an embodiment of the invention has been shown in detail, the invention may be embodied otherwise.

I claim:

1. A reactor safety circuit comprising three probe means for separately responding to the same reactor condition to be sensed, each of said three probe means having three contacts, three line means in mutually parallel relation each including one contact from each trio of probe means, each line means forming two parallel branches and having a relay coil in series with said parallel branches, the three contacts in each line means being distributed among the branches of the respective line means in a manner differing from the distribution in the branches of the other line means, and relay switches responding to the relay coils and adapted to be series connected between a reactor control and a source so as to cut off the reactor if two out of three of said relay coils are unenergized, said branches each including low inductance check relay means.

2. A safety circuit for a reactor having a plurality of conditions to be monitored, comprising three probe means for monitoring each condition, each probe means having three contacts, three line means in mutually parallel relation each having relay means, said lines each being divided into a plurality of series-connected parallel branch pairs corresponding to respective monitored conditions, the contacts from each probe means being included in respective branch pairs corresponding to the same monitored condition whereby each branch pair includes one from each probe monitoring the same condition, the contacts in each branch pair being distributed among the branches to form a circuit different from that formed in the other branch pairs corresponding to the same condition, relay coils in each line and in series with the branch pairs, and relay switches responding to the relay coils and adapted to be series connected between a reactor control and a source so as to cut off the reactor if two out of three of said relay coils are unenergized.

References Cited by the Examiner UNITED STATES PATENTS 2/1961 Nye 317l35 12/1963 Strong et a1 17624 

1. A REACTOR SAFETY CIRCUIT COMPRISING THREE PROE MEANS FOR SEPARATELY RESPONDING TO THE SAME REACTOR CONDITION TO BE SENSED, EACH OF SAID THREE PROBE MEANS HAVING THREE CONTACTS, THREE LINE MEANS IN MUTUALLY PARALLEL RELATION EACH INCLUDING ONE CONTACT FROM EACHTRIO OF PROBE MEANS, EACH LINE MEANS FORMING TWO PARALLEL BRANCHES AND HAVING A RELAY COIL IN SERIES WITH SAID PARALLEL BRANCHES, THE THREE CONTACTS IN EACH LINE MEANS BEING DISTRIBUTED AMONG THE BRANCHES OF THE RESPECTIVE LINE MEANS IN A MANNER DIFFERING FROM THE DISTRIBUTION IN THE BRANCHES OF THE OTHER LINE MEANS, AND RELAY SWITCHES RESPONDING TO THE RELAY COILS AND ADAPTED TO BE SERIES CONNECTED BETWEEN A REACTOR CONTROL AND A SOURCE SO AS TO CUT OFF THE REACTOR IF TWO OUT OF THREE OF SAID RELAY COILS ARE UNENERGIZED, SAID BRANCHES EACH INCLUDING LOW INDUCTANCE CHECK REALY MEANS. 